What are hackers really looking for when they attack small businesses?

Outsourced IT providers love to rattle off statistics when trying to convince owners of small- and medium-sized businesses (SMBs) how important cybersecurity is:

Australian businesses and government organisations are expected to spend up to $3.8 billion in cybersecurity in 2018…

A 2017 Norton SMB cybersecurity survey pegged the average cost of a cyberattack to an SMB at over $10,000…

The same survey says that almost 1 in 4 SMBs has experienced a cyberthreat…

The list goes on and on.

Beyond all the hype and doom and gloom, what actually happens during and after these attacks? How are hackers able to cause so much damage to companies with relatively small operations?

These are questions our office has been seeing a lot of recently, and there’s no better way to answer them than to look at some real-world examples.

Employee and customer records

One of the most common targets for hackers is personally identifiable information, such as date of birth, home address, or social security number. Attackers use it to either steal someone’s identity or sell the information to the highest bidder on the dark web — that part of the internet that needs an anonymizing browser to be accessed. At the very least, every single business stores this information in the form of its employees’ W-2s. However, companies with medical records are especially at risk.

In one of Australia’s biggest data breaches last year, thousands of workers from the public and private sectors were caught up in a massive leak when a third-party contractor stored the data in an incorrectly configured cloud platform. This is one reason it’s so critical for SMBs to outsource their IT to a reputable provider who can monitor and assess their cloud storage 24/7.

Financial information

Unless you’re among the dwindling number of companies that relies on cash, you deal with credit cards, bank account numbers and other financial records daily. So, even if you run a modest-sized dentist’s office or marketing firm, a hacker could make off with a five-digit payout.

In worst case scenarios, hackers target businesses that store a lot more than basic payment details. For example, a company right here in Perth that purchases structured settlements could be compromised by “an unidentified third party” with unauthorised access to a small cache of files.

Even though the files may never show up in a crime, the affected company is legally obligated to notify their customers. Expensive lawyers need to be hired, PR disaster management is required, and irreversible reputational damage is possible, all of which can be avoided with a holistic approach to data security.

Documents that lead to extortion

With the advent of ransomware, hackers no longer need to target specific types of information. If a program like WannaCry can be installed, it doesn’t matter what kind of data you store. Every computer on your network will be locked down until you pay a ransom, keeping you from conducting business until you finally break.

Despite what some small business owners might believe, ransomware isn’t just hype. Less than two years ago, a 9-1-1 dispatch system in the United States was infected, forcing emergency responders to document the calls with pen and paper. This example might seem like a far cry from an SMB, but many ransomware strains spread like viruses, targeting their victims without prejudice. That’s not something you can recover from without a thorough set of recent data backups.

With the ability to send messages from seemingly trustworthy addresses, hackers could trick recipients into giving up extremely sensitive information. We’re willing to bet the ill-fated firm was relying solely on an in-house IT staffer who didn’t have enough time to properly secure employee email accounts or coach the office on proper password habits.

Is your information safe?

Every business — from those in Perth down to every corner of Western Australia — stores these three types of information:

Employee W-2s

Customer credit card purchases

Confidential business data

Installing anti-virus software does not even come close to adequately protecting the information you have control over! Even if you aren’t in the healthcare or financial industries, your business faces very real threats every single day.